Analysis
What does the death of the EU data directive mean?
By Benjamin Fox
The EU's data retention directive was agreed in 2006, in the wake of terrorist attacks in Madrid and London in 2004 and 2005 respectively, as governments attempted to tighten national security rules.
Under the regime, telecoms companies were required to retain phone and email data for at least six months and up to two years (according to national law), for possible use in investigating and prosecuting terrorist and other serious crimes.
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Don't miss out on
Our exclusive news stories and investigations. Influential. Investigative. Independent.
Why join?
Watch our founder Lisbeth Kirk explain the reasons in this 30-second video.
Already a member?
-
The ruling by the European Court of Justice leaves rules on data retention in a state of limbo (Photo: Lee Morley)
26 of the EU's 28 member countries have applied the regime into their own national legal framework. Germany and Belgium did not.
Why does the Court say it is illegal?
Digital Rights Ireland launched a court action in 2012 against the transposition of the directive, as did 11,130 Austrian rights campaigners, both of which were referred to the EU's top court, the European Court of Justice. In its ruling yesterday (8 April) the ECJ found that the directive was in breach of the right to respect for private life and the fundamental right to the protection of personal data.
"By requiring the retention of those data and by allowing the competent national authorities to access those data, the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data," the court in Luxembourg ruled.
But the Court did not rule that data retention itself is illegal, rather that the requirements in the EU legislation were excessive.
"The Court is of the opinion that, by adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality."
The judgement should not come as that much of a surprise, since it is in line with an opinion published in December by the ECJ's advocate general Pedro Cruz Villalon, which recommended the directive be overturned. Cruz Villalon also stated that the directive breached the Charter of Fundamental Rights.
What does it mean?
The ruling means that, in legal terms, the directive is null and void. There is no EU legislation on data retention.
"We are going back as if it never existed," a Commission source told EUobserver.
EU home affairs commissioner, Cecilia Malmstroem, said that the ruling brought "clarity and confirms the critical conclusions in terms of proportionality of the Commission's evaluation report of 2011" on the implementation of the directive.
Does that mean that the 26 national laws are invalid?
No, they will remain in place. The Court ruling does not immediately affect the rights of an EU government to demand that telecoms firms retain phone and email data.
National governments could face a flood of legal challenges against their own laws from citizens claiming breaches of privacy. But claimants would have to prove that the national laws were in breach of the Charter, which applies to all EU and national law across the bloc.
Governments face two options: to keep to their existing laws and wait for possible legal actions; or to re-write their national laws.
Meanwhile, telecoms companies could also press legal challenges relating to the length of time they are expected to retain data for under national law.
What happens next?
The European Commission was not eager to defend the legislation following the ECJ ruling.
"We all know this is not Malmstroem's favourite directive," a Commission source told EUobserver, adding that the bill had been drafted in response to "a very specific situation . . . and it was clearly done in a hurry".
Commission officials have indicated that the EU's executive arm will take "several months" to assess the impact of the judgement and will scrap its plans to modify the directive.
"There are now no EU rules on data retention . . . so our plan to revise it cannot happen any more," one official told this website. Instead, the Commission is likely to table a new legislative proposal. However, this will not be proposed to MEPs and ministers until after the European elections in May.
But since the Court did not conclude that data retention itself is illegitimate, a future EU law is likely to focus on striking a better balance between the right to privacy and data protection and national security. This will probably mean reduced retention periods and tighter restrictions on government and third party access to data.
What about the countries who refused to implement the directive?
The European Commission had begun infringement proceedings against Belgium and Germany over their refusal to implement the directive. In Germany's case, the EU executive had recommended that it be fined more than €300,000 per day that it had failed to apply the legislation.
The Court ruling does not automatically void these proceedings, but officials have indicated that the 28 commissioners will discuss the end of the two legal actions at their next meeting.
